Microsoft failed to patch bugs it knew about

A security team from Microsoft Corporation has acknowledged that it knew of bugs in its Jet Database Engine as far back as 2005, yet failed to patch the issues. They claim the reason for this is because they thought they had blocked the obvious attack vectors.

Mike Reavey, MSRC’s Operations Manager, admitted that researchers and others outside Microsoft had notified the company in both 2005 and 2007 of separate bugs in Jet (a Windows component providing data access to Visual Basic and Microsoft Access applications).

Microsoft apparently informed the researchers that it would not fix the flaw because it considered the users who would be affected by it to be ‘safe;’ Microsoft Outlook blocked the opening of the .mdb file format, Exchange servers stripped .mdb files from incoming messages and Internet Explorer issued warnings when users clicked on such files.

And while this might have been true then, today there are new attack strategies being used by hackers. Symantec claims that attackers are doing an ‘end run’ around Outlook. Hackers use an attack vector that allows an attacker to load an .mdb file by opening a Word document.

According to Symantec, Microsoft should have fixed these flaws years ago. Microsoft appears to finally be listening; they have issued a security advisory warning users of Word for Windows 200, XP and Server 2003 SP1 to take defensive steps.

The MSRC is still trying to decide how it wants to patch the vulnerability. Reavey did not provide any details on the patch release, and last week information from MSRC indicated that the fix might be delivered as an “out of band” release (prior to the next scheduled general security scheduled update on April 8th).

In the meantime, until Microsoft releases the patch, Reavey urged users to either disable the Jet Database Engine or to block .mdb files at the gateway.